Question

Nginx Proxy server to App Platform app is getting a 403 Access Denied - Cloudflare error

I’m having an issue trying to proxy pass to my App Platform application from another server.

I have a .NET 6 app running in a Docker container on App Platform. This is running fine. I hit my API from my REST client using the domain given to my app by App Platform.

What I’m trying to do now is add an entry to my server running Nginx to proxy requests from my domain to the application on App Platform.

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

This works fine, my api receives the request but the Host header of the request is the app platform domain (https://my-app-platform-app.ondigitalocean.app) but want my domain from my proxy server (https://mydomain.com) as the Host header. So what I did was set the Host header with proxy_set_header in my Nginx config like below.

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

Now when I try to access my API from mydomain.com/api I get a 403 Permission Denied - Cloudfare error

Has anyone encountered this issue, or know what I’m doing wrong with this?

Thank you.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I answered this on the stack overflow question. I hope this helps the next person, as it took me two days of breaking my application to get right.

https://stackoverflow.com/questions/72855369/nginx-proxy-server-to-digital-ocean-app-platform-app-is-getting-a-403-access-den

I was unable to find a solutions to the original error with the 403 Permission Denied Cloudflare error. I posted on the Digital Ocean Community board but didn’t have any luck there either. There isn’t much details as to why Cloudflare is returning the 403 (returns a blank white page with 403 error, no details) nor could I find anything in Digital Ocean. I did find one questions on the Digital Ocean Community board with the same error but there wasn’t any solution for it either.

I figured I’d post a temporary solution that I’m using as a workaround until I can troubleshoot this further. Instead of setting the Host header I simply just added a new custom header X-Host and set it to $host. This gets passed properly to my API running in a docker container.

In my .NET 6 app I check for the X-Host header first to see if it’s set and use the Host header as a fallback if it isn’t.

My Nginx config looks like this now…

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        X-Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

If this is a CORS request you might have to setup a CORS policy in Digital Ocean. You can follow their guide below for setting that up.

https://docs.digitalocean.com/products/app-platform/how-to/configure-cors-policies/